Tivoli Federated Identity Manager, Version 6.2    

Creating a trust chain for Kerberos constrained delegation

The domain must contain an instance of a Kerberos constrained delegation trust module before you build the trust chain. If you have not already created an instance, do so now. See Creating a Kerberos constrained delegation module instance.

To configure the trust chain correctly, you must ensure that the properties align with WebSEAL configuration properties. Before running the trust chain wizard, you should:

To build the trust chain:

  1. Login to the WebSphere® console.
  2. Click Tivoli Federated Identity Manager -> Configure Trust Service -> Trust Service Chains The Trust Service Chains portlet is displayed
  3. Click Create. The configuration wizard starts. The Introduction page is displayed.
  4. Click Next. The Chain Mapping Identification panel is displayed.
  5. Enter the requested values.
    1. Enter a name in the Chain Mapping Name field.
    2. Optionally enter a description in the Description field.
    3. Do not select the field Create a dynamic chain
    4. Click Next. The Chain Mapping Lookup panel is displayed.
  6. Enter the requested values.
    1. Set Request Type to Issue Oasis URI

      The corresponding value for Request Type URI is automatically entered by the wizard.

    2. Set Lookup Type to Use Traditional WS-Trust Elements (AppliesTo, Issuer, and TokenType).
    3. Enter values in the AppliesTo section.

      Enter values for the fields:

      • Address
        For example:
        http://websealhost.example.com/krbjct
      • Service Name.

        For example, set both fields to the asterisk character ( * ).

      • Leave the Port Type fields blank.

      For help, see Planning configuration of the trust chain

    4. Enter values in the Issuer section.
      • In the Address field, enter: 
        amwebrte-sts-client
      • Leave the Service Name field and Port Type field blank.
    5. For Token Type, select Kerberos GSS V5
    6. Click Next.

      The Chain Identification panel is displayed.

  7. Do not select Initialize the chain upon startup of runtime. Click Next.

    The Chain Assembly panel is displayed.

  8. Build the trust chain:
    1. For Module Instance, select Default IVCred Token
    2. For Mode, select validate.
    3. Click Add selected module to chain.
    4. For Module Instance, select the Module Instance Name you specified in Creating a Kerberos constrained delegation module instance. For example, 
      Kerberos Junction
    5. For Mode, select issue.
    6. Click Add selected module to chain.
  9. Click Next.
    Note: You will see a warning stating that your chain lacks a module in map mode. You can ignore this warning. For more information, see Planning configuration of the trust chain.

    The Access Manager Credential (IVCred) Module Configuration panel is displayed.

  10. Do not select Enable signature validation. Click Next.

    The Kerberos Delegation Module Configuration panel is displayed.

  11. If necessary, specify the Default target Service Principal Name or change the options for adding a suffix to the Tivoli® Access Manager user name for Kerberos Authentication.
    Note: In most cases, you can leave this field blank and leave the default selection for the options. See Planning configuration of the trust chain
  12. Click Next. The Summary panel is displayed.
  13. Click Finish.
  14. In the Current® Domain portlet, click Load configuration changes to the Tivoli Federated Identity Manager runtime.
The trust chain configuration is now complete.

Topic type Task topic    

Feedback